If your business has DOD contracts you need to know how the new CMMC requirement is going to impact you. CMMC is an acronym for Cybersecurity Maturity Model Certification.
This standard is a framework with a comprehensive certification element that verifies to the DoD that a contractor or sub-contractor can adequately protect sensitive, unclassified information.
This migration to CMMC is being done to enhance the security posture of the Defense Industrial Base (DIB) sector and offer a leveled system that is scalable to different size DoD contractors and different project security requirements.
When did CMMC go into effect? November 30, 2020.
Non-compliant companies can risk losing DoD contracts or not being awarded new ones if they don’t begin using this standard and factor CMMC compliance into their overall cybersecurity strategy.
Basics of the Cybersecurity Maturity Model Certification
Who Has to Comply with CMMC and When?
Any vendor or contractor that does business with the Department of Defense is impacted by CMMC and will need to obtain this certification.
There is a phased rollout happening between November 30, 2020 and September 30, 2025. During the rollout, CMMC certificates won’t be required for all DoD contracts, but will be required for some.
It will be required when a contract requires a specific CMMC level. After 9/30/2025, all DoD contracts will have a CMMC requirement.
It Includes Levels of Cybersecurity Best Practices
The CMMC model is designed for scalability, so it includes a variety of levels, each representing a higher level of cybersecurity best practices.
Most levels can be cross referenced with NIST SP 800-171.
Levels include:
- Level 1: Basic Cyber Hygiene – This consists of 15 basic safeguard requirements that can be referenced under FAR clause 52.204-21.
- Level 2: Intermediate Cyber Hygiene – This consists of 65 security requirements from NIST SP 800-171 and is intended as a steppingstone between Levels 1 and 3.
- Level 3: Good Cyber Hygiene – This level includes all 110 security requirements from NIST SP 800-181, 20
- Level 4: Proactive Cybersecurity – Level 4 adds another 110 security requirements under NIST SP 800-171, 46
- Level 5: Advanced/Progressive Cybersecurity – In this final level, another 110 security requirements are added, from NIST SP 800-171, 61
Level 1 CMMC Requirements
There are 15 basic security practices that need to be followed to gain Level 1 CMMC. Here is a brief overview of what these are. They can be found in more detail here.
- Limit system access to authorized users
- Limit the functions and transactions of a system to authorized users
- Verify and control connections to and use of external information systems
- Control information processed on publicly accessible systems
- Identify information system users and processes acting on behalf of other users/devices
- Authenticate user/process/device identities
- Sanitize/destroy information media containing Federal Contract information before disposal
- Limit physical access to systems and equipment
- Maintain audit logs of physical access to devices and monitor visitors
- Monitor, control, and protect communications
- Implement subnetworks for publicly assessable components separated from internal networks
- Identify, report, and correct system and information flaws expediently
- Have safeguards from malicious code
- Keep systems updated for new protections against malicious code
- Perform periodic scans of information systems
Capability Areas
Within each CMMC level comes a variety of capability domains. These are cross referenced against the levels. For example, a requirement for the Access Control capability domain would be lower for a Level 1 CMMC than for a Level 3 CMMC.
The capability domains cover multiple areas of cybersecurity and they’re designed to create something of a checklist by keeping needed safeguards neatly categorized.
These areas of cybersecurity include:
- Access Control (AC)
- Asset Management (AM)
- Audit and Accountability (AU)
- Awareness and Training (AT)
- Configuration Management (CM)
- Identification and Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PE)
- Recovery (RE)
- Risk Management (RM)
- Security Assessment (CA)
- Situational Awareness (SA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
Contractors Must Get 3rd party Verification
When contractors feel they’ve implemented the security practices for a specific CMMC level, they must obtain 3rd party verification. The CMMC Accreditation Body has developed procedures by which approved Third-Party Assessment Organizations will evaluate and certify the different CMMC levels.
There are no self-certifications for CMMC.
How Long is CMMC Certification Valid?
A CMMC certificate is valid for a period of 3 years.
Can You Expense the Cost of CMMC Certification?
According to the guidelines, the costs incurred by obtaining CMMC certification are considered an allowable cost. However, a contractor will not be awarded a contract that requires CMMC until they have the required certification.
Let Leverage IT Group Guide You Through CMMC Compliance
We have compliance experts on our team that know the CMMC requirement inside and out. We’ll help your business with compliance, auditing, and more.
Contact us today to schedule a free consultation. Call (469) 458-0559 or reach us online.